Deploying Domain Controllers in Remote Locations

WAN links often represent bottlenecks for networks running Active Directory because of their relatively low bandwidth compared with LANs. This can be a problem when you need to deploy a domain controller in a remote location. For example, if you promote a member server to the role of domain controller at a remote site that belongs to the same domain as company headquarters, the new domain controller has to replicate the entire Active Directory database from an existing domain controller at headquarters. That can swamp the WAN link for hours, causing problems for people who need to use the link for other purposes.

Windows Server 2003 offers a solution: deploying Active Directory from backup media, a method Microsoft calls "install from media." This involves backing up an existing domain controller, burning the backup file to a CD or DVD and taking it to the remote site, and then using that backup to deploy a new domain controller with a full copy of the Active Directory database. That way, no replication of AD information needs to take place over the WAN link, with the exception of any changes that may have occurred between making the backup and restoring it at the remote site.

I'll walk through these steps using two Windows Server 2003 machines, specifically:

A domain controller named TEST220

A member server named TEST210

Both of these machines belong to the same Active Directory domain named TESTTWO (testtwo.local). But before we start, a few caveats:

This procedure works only with Windows Server 2003 domain controllers.

Both the source and target machines must be in the same domain.

The target machine must have network connectivity with and be able to resolve the names of existing domain controllers in the domain.

This method copies only the Domain, Configuration, and Schema partitions, not the domainwide or forestwide DNS partitions or any custom Application partitions you have created.

You must use your backup media to deploy your remote domain controllers within 60 days (the default tombstone lifetime for Active Directory).

If you want to deploy domain controllers that also host the Global Catalog, make sure your source machine has a copy of the catalog.

Backing Up the System State of TEST220

Start the Backup utility on TEST220 by choosing Start -> Run -> ntbackup and selecting Advanced Mode. Switch to the Backup tab and select the check box for backing up the System State on the machine:

Figure 1. Backing up the System State on domain controller TEST220

Save the backup as a file named D:\ADmedia.bkf or something similar, and start the backup in the usual way. Once the backup file has been created, burn it to a CD or DVD and take it to the remote location where TEST210 is located.

A few tips:

You can speed up both the backup and restore process by clearing the "Automatically Backup System Protected Files with the System State" backup option.

When backup is completed, you can ignore the message "Warning: Unable to open <drive>:\<path>\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory" if it is displayed.

Restoring the System State of TEST220 on TEST210

Insert the disc containing the backup of the System State of TEST220 into the drive of TEST210, and once again start the Backup utility in Advanced Mode. Switch to the Restore and Manage Media tab, select Tools -> Catalog a Backup File, and type the full path to the .bkf file you want to restore:

Figure 2. Opening the backup file

Click on OK and select System State for what you want to restore:

Figure 3. Restoring the System State of TEST220 onto TEST210

Under the option "Restore files to," select "Alternate location" and specify an empty folder on a local fixed (not removable) hard drive of TEST210 as the restore location:

Figure 4. Restoring to an alternate location

Now start the restore, and the System State info for TEST220 will be copied to the folder you specified on TEST210.

A few more tips:

Restore the backup to a folder on the same volume where Active Directory will be installed.

Ignore the message that says "Not all system state data will be restored when redirected to an alternative location."